Android 10 introduces support for the Wi-Fi Alliance's (WFA) Wi-Fi Protected Access version 3 (WPA3) and Wi-Fi Enhanced Open standards. For more information, see Security on the WFA site.
WPA3 is a new WFA security standard for personal and enterprise networks. It aims to improve overall Wi-Fi security by using modern security algorithms and stronger cipher suites. WPA3 has two parts:
- WPA3-Personal: Uses simultaneous authentication of equals (SAE) instead of pre-shared key (PSK), providing users with stronger security protections against attacks such as offline dictionary attacks, key recovery, and message forging.
- WPA3-Enterprise: Offers stronger authentication and link-layer encryption methods, and an optional 192-bit security mode for sensitive security environments.
Wi-Fi Enhanced Open is a new WFA security standard for public networks based on opportunistic wireless encryption (OWE). It provides encryption and privacy on open, non-password-protected networks in areas such as cafes, hotels, restaurants, and libraries. Enhanced Open doesn't provide authentication.
WPA3 and Wi-Fi Enhanced Open improve overall Wi-Fi security, providing better privacy and robustness against known attacks. As many devices don't yet support these standards or haven't yet had software upgrades to support these features, WFA has proposed the following transition modes:
- WPA2/WPA3 transition mode: The serving access point supports WPA2 and WPA3 standards concurrently. In this mode, Android 10 devices use WPA3 to connect, and devices running Android 9 or lower use WPA2 to connect to the same access point.
- WPA2/WPA3-Enterprise transition mode: The serving access point supports WPA2-Enterprise and WPA3-Enterprise standards concurrently.
- OWE transition mode: The serving access point supports both OWE and open standards concurrently. In this mode, Android 10 devices use OWE to connect, and devices running Android 9 or lower connect to the same access point without any encryption.
Android 12 supports Transition Disable indication, a mechanism that instructs a device to not use WPA2 and use WPA3 instead. When a device receives this indication, it uses WPA3 to connect to a WPA3 network that supports a transition mode. Android 12 also supports WPA3 Hash-to-Element (H2E) authentication exchange. For more information, see the WPA3 Specification.
WPA3 and Wi-Fi Enhanced Open are supported only in client mode.
To support WPA3 and Wi-Fi Enhanced Open, implement the supplicant HAL interface
design language (HIDL) provided in the Android Open Source Project (AOSP) at
The following are required to support WPA3 and OWE:
Linux kernel patches to support SAE and OWE
wpa_supplicantwith support for SAE, SUITEB192 and OWE
Wi-Fi driver with support for SAE, SUITEB192, and OWE
Wi-Fi firmware with support for SAE, SUITEB192, and OWE
Wi-Fi chip with support for WPA3 and OWE
Public API methods are available in Android 10 to allow apps to determine device support for these features:
contains new key management types, as well as pairwise ciphers, group ciphers,
group management ciphers, and Suite B ciphers, which are required for OWE,
WPA3-Personal, and WPA3-Enterprise.
Enabling WPA3 and Wi-Fi Enhanced Open
To enable WPA3-Personal, WPA3-Enterprise, and Wi-Fi Enhanced Open in the Android framework:
WPA3-Personal: Include the
CONFIG_SAEcompilation option in the
# WPA3-Personal (SAE) CONFIG_SAE=y
WPA3-Enterprise: Include the
CONFIG_SUITEBcompilation options in the
# WPA3-Enterprise (SuiteB-192) CONFIG_SUITEB=y CONFIG_SUITEB192=y
Wi-Fi Enhanced Open: Include the
CONFIG_OWEcompilation option in the
# Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt CONFIG_OWE=y
If WPA3-Personal, WPA3-Enterprise, or Wi-Fi Enhanced Open aren't enabled, users won't be able to manually add, scan, or connect to these types of networks.
To test your implementation, run the following tests.
to verify the behavior of the capability flags for WPA3 and OWE.
to verify the behavior of the public APIs for this feature.
Integration test (ACTS)
To run an integration test, use the Android Comms Test Suite (ACTS) file,
VtsHalWifiSupplicantV1_3TargetTest to test the behavior of the supplicant
vts-tradefed run commandAndExit vts --skip-all-system-status-check --primary-abi-only --skip-preconditions --module VtsHalWifiSupplicantV1_3Target